In the wake of several data breach scandals in 2005, 39 states and the District of Columbia have passed some form of data breach legislation, according to the National Conference of State Legislatures.
These notification laws essentially require companies that handled personally identifiable information to inform individuals of data breaches.
But states are starting to add a new twist to the laws, requiring that personal information be encrypted – an extra step that may add security, but also adds costs and more potential confusion for companies.
Nevada and Massachusetts currently have encryption requirements, and state legislatures in Michigan and Washington are considering such measures.
Encryption “is definitely a useful security tool and a necessary measure for protecting confidential information,” said Michael Vatis, a partner at Steptoe & Johnson in New York City who specializes in e-commerce and Internet law. “But it gets tricky when states try to mandate it because different sorts of information warrant different levels of protection and it is complicated to regulate that.”
In addition, “it’s even more worrisome when there are different standards nationally, from state to state,” he said.
Randy Sabett, a partner who specializes in privacy and data security at Sonnenschein Nath & Rosenthal in Washington, D.C., agreed.
With companies currently facing a patchwork of existing data breach notification laws, new encryption requirements would add another layer of complication, he said.
“Technology always outpaces the law, so having state legislatures get involved in technology issues may not be the best approach,” Sabett cautioned. “What is secure today may not be good enough tomorrow.”
Safety and cost
Relying on a specific form of technology could pose even greater problems in the future, as technology advances and encryption as a means of safely protecting personal information becomes obsolete, said John P. Hutchins, a partner at Troutman Sanders in Atlanta who specializes in technology litigation.
“The technology itself is going to change in a much shorter period of time than the conduct that states are trying to regulate,” he said.
And the proposed legislation is often far from clear.
“There are lots of different types of encryption,” explained Hutchins, but the statutes define it in very broad terms.
The definitions of encryption in Massachusetts and Nevada use language describing the “transformation of information using an algorithmic process.”
But “any number of different things that would fit the definition,” Sabett said. That ambiguity does not help companies trying to meet the requirements.
Michigan’s proposed statute requires entities that collect and store personally identifiable information to encrypt that information “in conformity with current industry-standard encryption methods and capabilities.”
Washington’s proposal uses similar language – a person or business is in compliance with the encryption requirement if it “uses encryption practices that are generally accepted by the industry.”
But “what industry?” wondered Sabett. “If you ask 10 experts for a standard practice, you will get 10 different answers.”
Michigan’s law also provides for criminal penalties – fines or even imprisonment – for those who fail to encrypt.
Hutchins suggested that more specific legislative guidance could be helpful for companies, but on the other hand, dictating a specific type of encryption “would be some serious micro-management.”
Further, most experts believe encryption isn’t a panacea for all safety problems. For example, researchers at Princeton University recently revealed they were able to steal the encryption key from a computer’s hard drive.
By turning off a computer and rebooting the system from a portable hard disk, hackers can examine memory chips that give them a way to work around the protection of the operating system that hides the memory keys.
Sabett also noted that some companies may make an intentional decision not to encrypt personally identifiable information for business reasons.
“An electronic banking client may not want to have their customers sit there and have to wait 30 seconds while data encrypts,” he said.
Layers of requirements
Another potential problem with the breach notification laws is lack of uniformity.
“It is very difficult for companies to have to comply with dozens of different laws,” Vatis said
The definition of “personally identifiable information” varies from state to state, as do other requirements, making it extremely difficult for companies with a national or multi-state presence to follow the various laws.
“Some states define personally identifiable information as a name in combination with a bank account or credit card and a pin number, while other states don’t include a pin number,” Vatis said. “This difference isn’t immediately obvious to companies until they start dealing with a data breach.”
Given this, a company that must notify individuals in one state will go ahead and notify in other states that don’t require it because the weeding out process can be too complicated, he said.
Another wrinkle is Florida’s “risk of harm” analysis, which provides a threshold question for companies: Does the data breach in question raise a risk of harm that requires notification of individuals? Instead of mandatory notification, a company only provides notice after a breach when it believes there is a substantial risk of identity theft.
Hutchins – who estimated he gets at least one call a week from a client who has suffered a data breach – said third party notice issues also complicates a company’s notification requirements.
“Some states require notice to a consumer protection agency or the state attorney general if the data of a certain number of individuals has been compromised,” he said.
However, the number of individuals that triggers the third-party notice varies from state to state, as do the entities that should be notified.
All of these differences mean that “instead of focusing on getting notice to affected customers about the breach, companies instead have to spend a lot of time and effort to figure how not to violate these notification laws,” Vatis said. “The details of compliance should not be the important focus.”
Although federal legislation has been proposed several times over the years, its passage in the near future appears unlikely, given that it’s an election year and there is a lack of consensus on the issues.